CVE-2026-33287 - Vulnerability Details

- LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern

Description

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` which interprets `$&` as a back reference to the matched substring. The filter only charges `memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service. Version 10.25.1 patches the issue.

Published: 2026-03-26

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The replace_first filter in LiquidJS misinterprets the $& pattern as a reference to the matched substring, creating an output substantially larger than the input. An attacker can exploit this behavior to trigger a memory amplification ratio of up to 625,000:1 while keeping the input within the configured memory limit, causing the application to exhaust available memory and become unresponsive. This defect aligns with input validation and resource exhaustion weaknesses.

Affected Systems

LiquidJS, a template engine used with Node.js and in Shopify/GitHub Pages environments, is affected in all releases prior to 10.25.1. The product is maintained by Harttle and is commonly integrated into web applications that process user‑controlled templates.

Risk and Exploitability

The vulnerability scores 7.5 on CVSS, indicating high severity, and has an EPSS score below 1%, reflecting a low current exploitation probability. It is not listed in CISA’s KEV catalog. The attack vector is likely remote via malicious template input, and successful exploitation results in denial of service for all users of the affected application.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

harttle

liquidjs

affected

Version	Status	Constraints
`< 10.25.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:liquidjs:liquidjs:*:*:*:*:*:node.js:*:*

No data.

Vendor Product Confidence Versions

Harttle

Liquidjs

100%

Version	Status	Scheme	Platform
`[0,10.25.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest LiquidJS patch (v10.25.1 or newer).
Verify that any deployed templates are not using the replace_first filter with untrusted data.

Generated by OpenCVE AI on March 30, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-6q5m-63h6-5x4v	LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/harttle/liquidjs/commit/35d523026345d80458df24c72e653db78b5d061d
https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v

History

Mon, 30 Mar 2026 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Liquidjs Liquidjs liquidjs
CPEs		cpe:2.3:a:liquidjs:liquidjs::::::node.js::*
Vendors & Products		Liquidjs Liquidjs liquidjs

Thu, 26 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Harttle Harttle liquidjs
Vendors & Products		Harttle Harttle liquidjs

Thu, 26 Mar 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` which interprets `$&` as a back reference to the matched substring. The filter only charges `memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service. Version 10.25.1 patches the issue.
Title		LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern
Weaknesses		CWE-20 CWE-400
References		https://github.com/harttle/liquidjs/commit/35d523026345d80458df24c72e653db78b5d061d https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Harttle Liquidjs

Liquidjs Liquidjs

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-26T00:33:20.024Z

Updated: 2026-03-26T15:02:26.164Z

Reserved: 2026-03-18T18:55:47.426Z

Link: CVE-2026-33287

Vulnrichment

Updated: 2026-03-26T14:18:41.797Z

NVD

Status : Analyzed

Published: 2026-03-26T01:16:27.530

Modified: 2026-03-30T16:46:03.917

Link: CVE-2026-33287

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T20:57:44Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object